| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] FW-1-MAILINGLIST Digest - 3 Dec 2001 to 4 Dec 2001 (#2001-63)
I'll see if I can answer some questions...
1) There are known problems with LinkSys routers. Make sure firmware is
upgraded and it is allowing UDP port 500 for the IKE key exchange. We have
had some users end up having to swap hardware.
2) I'm pretty sure Hybrid mode doesn't work unless you have the Cert.
Authority working. In addition to the "fw internalca certify" command, you
also need the "fw internalca create" command to create the CA. Once the CA
is created, you can "certify" each FW module. In your example, trek is the
name of your firewall, while "o=boston, c=us" are just organization and
container labels. You can change it to location and city or country
("o=Atlanta, c=US").
3) The ":dns_xlate (true)" and ":dns_encrypt (true)" statements go in the
userc.C file on the SR client. You'll need to create $FWDIR/conf/dnsinfo.C
and modify $FWDIR/lib/crypt.def as well. This is only if you want to use
Encrypted/Split DNS (DNS from your office network rather than from a public
DNS server on the Internet.
Doug Johnson
Internet Security Systems
Sr. Network Engineer
------------------------------
Date: Tue, 4 Dec 2001 12:11:52 -0800
From: Alan Choyna <[email protected]>
Subject: Securemote not working. Should l use Hybrid IKE?
Currently from my W2K PC behind my Linksys router (most current
firmware) l can update the site with the current key successfully using
securemote (build 4188) from our Nokia IP440 (version 4.1 SP3).
But whenever l try to use telnet, FTP or Timbuktu (these are all l've
tried so far) using the internal ip on our internal network behind our
Nokia IP440 l authenticate successfully, but then nothing happens, it
seems to hang and there are no messages in the log file after the
successfull authentication message.
I am using IKE only with UDP encapsulation and support IKE over TCP
options. FW-1 is also configured to use IKE. I have set all of my
encryption and FW1 profile settings to log everything.
I am running on a 192.168.5.* network behind the linksys, and a our
internal network behind the IP440 is 1192.68.50.*, so l am sure it's not
the ip getting it confused.
I have also set hybrid Mode Securemote authentication on the firewall
object, but have not yet set up the Certificate authority. Could that be
confusing it?
my FW rule is: secureremote@any securegroup
any client encrypt log long.
I have seen that there are some things l could do, like use hybrid IKE.
I was told to use this because we are running securemote from clients
behind a Linksys router using DSL (no static ip address), l was advised
that we should be using hybrid mode IKE authentication.
To set up the certificate authority l telnet to the ip440 (we don't have
a seperate management station), and CD to $FWDIR/bin, stop the firewall
and then use the following command:
fw internalca certify -o trek "o=boston, c=us"
What do the "o=boston" and "c=us" options mean? should l be changing
these values to something for our site? Is "boston" a remote user?
Should l do this process for each user?
I have also seen people recommend to add Did you add:
:dns_xlate (true)
:dns_encrypt (true)
to the userc.C file on the firewall. Where do l insert it? Does anything
have to be done to the objects.C file?
Sorry for all the questions, but l really want to get it right soon, as
l'm getting management pressure.
Regards,
Alan.
===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================
|
|
